- POLICY STATEMENT
The policy is to direct the processing of personal information and the incorporation by the design of privacy in the development and acquisition of new technologies and business processes of HWSETA.
- POLICY PURPOSE
Personal information is highly sensitive and becoming regulated. The processing of personal information requires specific attention and a high-level of protection. Sufficient measures commensurate with the risk shall be taken to protect personal information against accidental or unauthorised modifications, disclosure and / or destruction, as well as to assure the confidentiality, integrity and availability of personal information in HWSETA’s possession or under its control. The objective of the protection of personal information is to ensure that the constitutional right individual’s have to privacy is respected and that HWSETA’s business practices comply with the statutory conditions for the lawful processing of personal information.
- LEGISLATIVE FRAMEWORK
See Corporate Governance of ICT Charter (Policy 0#30), and Corporate Governance of ICT Policy (Policy 0#29)
Personal Information / Data
‘‘Personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or 5 mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;information relating to the education or the medical, financial, criminal or employment history of the person;any identifying number, symbol, e-mail address, physical address, telephone 10 number, location information, online identifier or other particular assignment to the person;the biometric information of the person;the personal opinions, views or preferences of the person;correspondence sent by the person that is implicitly or explicitly of a private 15 or confidential nature or further correspondence that would reveal the contents of the original correspondence;the views or opinions of another individual about the person; andthe name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information 20 about the person.
ICT: Information, Communication and Related Technologies
PAIA: Promotion of Access to Information Act
POPIA: Protection of Personal Information Act
- SCOPE AND APPLICABILITY
This policy applies to HWSETA, its employees, including temporary employees, contractors, service providers, and consultants utilising HWSETA’s information system resources. It covers all HWSETA data, data processing networks, servers, personal computers, digital devices, file stores and any other computing equipment, located at HWSETA and non- HWSETA locations
Executive Managers are the responsible parties whose personal details are to be registered with the Regulator and who are accountable for the manner in which personal information is processed in their respective areas. Each Executive Manager is personally responsible for collecting and registering the correct details with the Information Regulator.
Each Executive Manager is required to maintain an inventory of personal information processed and details of the business processes in their respective areas that make use of personal information, including the accounting of the processes, systems, databases and third-parties involved with processing personal information.
Each Executive Manager is responsible within their respective areas for the policies over privacy and the use (from collection to destruction) and protection of personal information; the procedures and controls to actively enforce policy and other compliance obligations, and monitoring those procedures and controls to ensure they remain intact and effective.
- PROCESSING LIMITATION
The processing of personal information shall at all times be within the context of HWSETA’s defined business processes. HWSETA only uses personal information for the purposes for which it was given by staff, clients and third-parties, or for purposes which are directly related to one of our defined business processes, and HWSETA does not give personal data to any other individual, public or private body unless one of the following applies:
- the individual has consented
- the individual would reasonably expect that it is absolutely necessary, or has been told, that information of that kind is to be passed to other private or public bodies
- it is required or authorised by law
- it will prevent or lessen a serious and imminent threat to somebody’s life or health
- it is reasonably necessary for the enforcement of the criminal law, the protection of public good or purposes of the Receiver of Revenue.
The use of personal data is limited to the stated purpose of the defined business process. It is HWSETA’s usual practice to collect personal information directly from the individual unless it is contained in a public record.
It is our policy that every individual be given the opportunity to object, in the prescribed manner, to HWSETA’s use of their personal data.
- PURPOSE SPECIFICATION
It is HWSETA’s policy to collect personal information only for the specifically defined, lawful purpose relating to a function of a responsible party as described in our Promotion of Access to Information Act (PAIA) manual. Each responsible party is to ensure that:
- the individual’s whose personal data HWSETA uses is aware of our purpose for collecting their data,
- HWSETA processes their personal information for the specific purpose of the business process and for each additional purpose not directly related to the business processes specifically relevant to the individual concerned, and that
- record retention is no longer than necessary.
It is HWSETA’s usual practice to make it clear to the individual the purpose of our processing their personal information before we make use of it, unless there is a law that requires us to do so without first obtaining permission.
Sometimes HWSETA collects personal information from a third party or a publicly available source, but only after we ensured, that the party who collected information did this in a legal manner, or if it is necessary for a specific purpose required by the Receiver of Revenue.
In limited circumstances HWSETA may receive personal information about third parties from individuals who contact HWSETA and supply HWSETA with the personal information of others in the documents they provide to us. In these circumstances HWSETA will attempt to ensure that the consent of those third parties is obtained if HWSETA thinks it may need to use or disclose that information.
HWSETA will allow the individual to make choices with respect to receiving marketing communications and HWSETA will respect such choices.
- FURTHER PROCESSING LIMITATION
It is HWSETA’s usual practice to ensure that all processing of personal information is compatible with the original purpose of collecting it and that HWSETA’s responsible parties are fully aware of the potential consequences of further processing. Each of the responsible parties is required to be proactive in ensuring that the further processing of personal data is prevented.
It is HWSETA policy not to mine data beyond the original purpose for processing personal data as defined in our business processes. Each responsible party in our organisation is required to take the steps necessary to stop any unlawful processing of personal data.
If we wish to retain personal data for historical, statistical or research purposes HWSETA will always obtain the data subject’s permission first.
- INFORMATION QUALITY
HWSETA will take steps to ensure that the personal information it collects is accurate, up to date and complete; also in the sense of necessity and minimality. These steps include maintaining and updating personal information when HWSETA is advised by individuals that their personal information has changed, and at any other times as is necessary.
HWSETA’s responsible parties periodically check that there are adequate controls in place to maintain the integrity of personal data and ensure that personal data is not misleading.
It is HWSETA’s usual practice to only process personal data for the purpose described in our PAIA manual unless the personal information is already in the public domain, or can be used without identifying the individual’s concerned.
- DATA SUBJECT PARTICIPATION
If an individual requests access to the personal information HWSETA holds about them, or requests that we change that personal information, HWSETA will allow access or make the changes unless we consider that there is a sound reason under relevant law to withhold the information (e.g. Promotion of Access to Information Act).
If HWSETA does not agree to provide access to personal information the individual may request the relevant regulator or a Court to review this decision.
The manner that a data subject uses to access personal information is detailed in the HWSETA PAIA manual and it is in accordance with the applicable guidelines. HWSETA does not charge individuals to make requests about their personal data.
- SECURITY SAFEGUARDS
HWSETA takes appropriate steps to protect the personal information it holds against loss, unauthorized access, use, modification or disclosure and against other misuse. These steps include organisational and technical measures, the procedures and controls to actively enforce policy, manage the confidentiality, integrity and availability of personal and other related information technology used to collect, use, transfer, retain and destroy data.
When no longer required, personal information is destroyed in a secure manner or deleted.
- APPROVAL AND REPORTING REQUIREMENTS
The approval of this policy shall lie with the Board as the Accounting Authority.
- CUSTODIAN OF THIS POLICY
The custodian of this policy is the HWSETA Board, which is supported in its implementation by the Executive Management.
This policy shall apply to all employees and Board members of the HWSETA. The Executive Committee is responsible for the administration, revision, interpretation, and application of this policy.
- ADHERENCE TO THE POLICIES AND PROCEDURE
Employees who contravene this policy will be disciplined in accordance with the HWSETA disciplinary policy.
- CREATING AWARENESS
All managers shall ensure that all employees are made aware of this policy.
This document shall be reviewed and revised as and when required, at a date decided by the Chief Executive Officer and the Board. All revisions shall be recorded in the Document Control Register and the superseded document destroyed.
- ALTERATIONS AND AMENDMENTS
Copies of this document shall be issued as controlled copies. No amendments, variations or alterations shall be of any effect unless reduced to a written document and approved by the Board